[sw/silicon_creator] Update manifest fields
This change:
- Removes `extension_*`, `reserved*`, `usage_constraints`,
`lockdown_info`, `image_version`, and
- Adds `image_major_version`, `image_minor_version`, `binding_value`,
and `max_key_version`.
Fixes #5953 #5954
Signed-off-by: Alphan Ulusoy <alphan@google.com>
diff --git a/sw/device/silicon_creator/lib/manifest.h b/sw/device/silicon_creator/lib/manifest.h
index 93174c0..842e2d4 100644
--- a/sw/device/silicon_creator/lib/manifest.h
+++ b/sw/device/silicon_creator/lib/manifest.h
@@ -38,10 +38,6 @@
*/
uint32_t identifier;
/**
- * FIXME: remove this field.
- */
- uint32_t reserved0;
- /**
* Image signature.
*
* The signed region of an image starts at `image_length` and ends at the
@@ -54,9 +50,13 @@
*/
uint32_t image_length;
/**
- * FIXME: Replace with max_version, min_version.
+ * Image major version.
*/
- uint32_t image_version;
+ uint32_t image_major_version;
+ /**
+ * Image minor version.
+ */
+ uint32_t image_minor_version;
/**
* Image timestamp.
*/
@@ -66,51 +66,33 @@
*/
uint32_t exponent;
/**
- * FIXME: remove this field.
+ * Binding value used by key manager to derive secret values.
+ *
+ * A change in this value changes the secret value of key manager, and
+ * consequently, the versioned keys and identity seeds generated at subsequent
+ * boot stages.
*/
- uint32_t reserved1;
+ uint32_t binding_value[8];
/**
- * FIXME: Replace these with binding_tag and max_key_version.
+ * Maximum allowed version for keys generated at the next boot stage.
*/
- uint32_t usage_constraints[8];
- uint32_t lockdown_info[4];
+ uint32_t max_key_version;
/**
* Modulus of the signer's RSA public key.
*/
sigverify_rsa_buffer_t modulus;
- /**
- * Extension fields.
- * FIXME: Remove these until we have a clear use-case.
- */
- uint32_t extension0_offset;
- uint32_t extension0_checksum;
- uint32_t extension1_offset;
- uint32_t extension1_checksum;
- uint32_t extension2_offset;
- uint32_t extension2_checksum;
- uint32_t extension3_offset;
- uint32_t extension3_checksum;
} manifest_t;
OT_ASSERT_MEMBER_OFFSET(manifest_t, identifier, 0);
-OT_ASSERT_MEMBER_OFFSET(manifest_t, reserved0, 4);
-OT_ASSERT_MEMBER_OFFSET(manifest_t, signature, 8);
-OT_ASSERT_MEMBER_OFFSET(manifest_t, image_length, 392);
-OT_ASSERT_MEMBER_OFFSET(manifest_t, image_version, 396);
+OT_ASSERT_MEMBER_OFFSET(manifest_t, signature, 4);
+OT_ASSERT_MEMBER_OFFSET(manifest_t, image_length, 388);
+OT_ASSERT_MEMBER_OFFSET(manifest_t, image_major_version, 392);
+OT_ASSERT_MEMBER_OFFSET(manifest_t, image_minor_version, 396);
OT_ASSERT_MEMBER_OFFSET(manifest_t, image_timestamp, 400);
OT_ASSERT_MEMBER_OFFSET(manifest_t, exponent, 408);
-OT_ASSERT_MEMBER_OFFSET(manifest_t, reserved1, 412);
-OT_ASSERT_MEMBER_OFFSET(manifest_t, usage_constraints, 416);
-OT_ASSERT_MEMBER_OFFSET(manifest_t, lockdown_info, 448);
-OT_ASSERT_MEMBER_OFFSET(manifest_t, modulus, 464);
-OT_ASSERT_MEMBER_OFFSET(manifest_t, extension0_offset, 848);
-OT_ASSERT_MEMBER_OFFSET(manifest_t, extension0_checksum, 852);
-OT_ASSERT_MEMBER_OFFSET(manifest_t, extension1_offset, 856);
-OT_ASSERT_MEMBER_OFFSET(manifest_t, extension1_checksum, 860);
-OT_ASSERT_MEMBER_OFFSET(manifest_t, extension2_offset, 864);
-OT_ASSERT_MEMBER_OFFSET(manifest_t, extension2_checksum, 868);
-OT_ASSERT_MEMBER_OFFSET(manifest_t, extension3_offset, 872);
-OT_ASSERT_MEMBER_OFFSET(manifest_t, extension3_checksum, 876);
+OT_ASSERT_MEMBER_OFFSET(manifest_t, binding_value, 412);
+OT_ASSERT_MEMBER_OFFSET(manifest_t, max_key_version, 444);
+OT_ASSERT_MEMBER_OFFSET(manifest_t, modulus, 448);
OT_ASSERT_SIZE(manifest_t, MANIFEST_SIZE);
/**
diff --git a/sw/device/silicon_creator/lib/manifest_size.h b/sw/device/silicon_creator/lib/manifest_size.h
index 3aae1fb..3cffc2c 100644
--- a/sw/device/silicon_creator/lib/manifest_size.h
+++ b/sw/device/silicon_creator/lib/manifest_size.h
@@ -8,6 +8,6 @@
/**
* Manifest size for boot stages stored in flash (in bytes).
*/
-#define MANIFEST_SIZE 880
+#define MANIFEST_SIZE 832
#endif // OPENTITAN_SW_DEVICE_SILICON_CREATOR_LIB_MANIFEST_SIZE_H_
diff --git a/sw/host/rom_ext_image_tools/signer/image/src/manifest.rs b/sw/host/rom_ext_image_tools/signer/image/src/manifest.rs
index 8e6c6a9..faf8755 100644
--- a/sw/host/rom_ext_image_tools/signer/image/src/manifest.rs
+++ b/sw/host/rom_ext_image_tools/signer/image/src/manifest.rs
@@ -26,31 +26,22 @@
// sw/device/silicon_creator/lib/manifest.h \
// -- -I./ -Isw/device/lib/base/freestanding
-pub const MANIFEST_SIZE: u32 = 880;
+pub const MANIFEST_SIZE: u32 = 832;
/// Manifest for boot stage images stored in flash.
#[repr(C)]
#[derive(FromBytes, AsBytes, Debug, Default)]
pub struct Manifest {
pub identifier: u32,
- pub reserved0: u32,
pub signature: SigverifyRsaBuffer,
pub image_length: u32,
- pub image_version: u32,
+ pub image_major_version: u32,
+ pub image_minor_version: u32,
pub image_timestamp: u64,
pub exponent: u32,
- pub reserved1: u32,
- pub usage_constraints: [u32; 8usize],
- pub lockdown_info: [u32; 4usize],
+ pub binding_value: [u32; 8usize],
+ pub max_key_version: u32,
pub modulus: SigverifyRsaBuffer,
- pub extension0_offset: u32,
- pub extension0_checksum: u32,
- pub extension1_offset: u32,
- pub extension1_checksum: u32,
- pub extension2_offset: u32,
- pub extension2_checksum: u32,
- pub extension3_offset: u32,
- pub extension3_checksum: u32,
}
/// A type that holds 96 32-bit words for RSA-3072.
@@ -73,22 +64,14 @@
/// TODO(#6915): Convert this to a unit test after we start running rust tests during our builds.
pub fn check_manifest_layout() {
assert_eq!(offset_of!(Manifest, identifier), 0);
- assert_eq!(offset_of!(Manifest, reserved0), 4);
- assert_eq!(offset_of!(Manifest, signature), 8);
- assert_eq!(offset_of!(Manifest, image_length), 392);
- assert_eq!(offset_of!(Manifest, image_version), 396);
+ assert_eq!(offset_of!(Manifest, signature), 4);
+ assert_eq!(offset_of!(Manifest, image_length), 388);
+ assert_eq!(offset_of!(Manifest, image_major_version), 392);
+ assert_eq!(offset_of!(Manifest, image_minor_version), 396);
assert_eq!(offset_of!(Manifest, image_timestamp), 400);
assert_eq!(offset_of!(Manifest, exponent), 408);
- assert_eq!(offset_of!(Manifest, reserved1), 412);
- assert_eq!(offset_of!(Manifest, usage_constraints), 416);
- assert_eq!(offset_of!(Manifest, lockdown_info), 448);
- assert_eq!(offset_of!(Manifest, modulus), 464);
- assert_eq!(offset_of!(Manifest, extension0_offset), 848);
- assert_eq!(offset_of!(Manifest, extension0_checksum), 852);
- assert_eq!(offset_of!(Manifest, extension1_offset), 856);
- assert_eq!(offset_of!(Manifest, extension1_checksum), 860);
- assert_eq!(offset_of!(Manifest, extension2_offset), 864);
- assert_eq!(offset_of!(Manifest, extension2_checksum), 868);
- assert_eq!(offset_of!(Manifest, extension3_offset), 872);
+ assert_eq!(offset_of!(Manifest, binding_value), 412);
+ assert_eq!(offset_of!(Manifest, max_key_version), 444);
+ assert_eq!(offset_of!(Manifest, modulus), 448);
assert_eq!(size_of::<Manifest>(), MANIFEST_SIZE as usize);
}
